One signed binary. Every feature compiled in. Free to run. Install Crowkis →
← back to the Roost
engineeringJune 26, 2026· 5 min read

One container, zero dependencies: what's deliberately absent from our image

The most secure dependency is the one that isn't there. Crowkis ships as a single stripped binary with the model baked in, no Python, no package manager, nothing to poison at runtime.

Every dependency in your runtime is a door someone else can walk through. The supply-chain attacks that make headlines don't break your code, they slip something into a package your code trusts. So when we packaged Crowkis, we asked a different question than 'what should we add?' We asked 'what can we leave out?'

what's in the runtime image

One file to review. No supply chain to compromise.

In plain words: The whole product is a single compiled binary with the embedding model bundled inside it. There's no interpreter to exploit, no package index to typo-squat, nothing to download when it starts.

For a security team, this changes the review from auditing a dependency tree of thousands of packages to reviewing one artifact. For an air-gapped or regulated deployment, it means the thing runs with no network at all, the model is already inside. The absence is the feature.

The bottom line

You can't be compromised through a dependency you don't ship. One binary, one model, no runtime supply chain, the smallest attack surface we could build.